njrat | a5eb97f797fbea357ce38999264e709e0622221cf08a2f677fd1b6f3ee15d7f9 | Triage

Sharing

General

Target

f5fb019ecf7570fa904d884db9f05f9c_JaffaCakes118
Size

49KB
Sample

240925-pbjmnsxfqg
MD5

f5fb019ecf7570fa904d884db9f05f9c
SHA1

84e28207f86bdbc534dfc8b10520ce61ad202d23
SHA256

a5eb97f797fbea357ce38999264e709e0622221cf08a2f677fd1b6f3ee15d7f9
SHA512

feab45b67572849096c2d380581fdb4fd23312361db7784a7b3bef62a39a3eda055b1b7bf708f448147c915fe832634ea046e7e59162b5dcdc7beeb533be9d4a
SSDEEP

768:o2DXFFhheexEj7I46aOqb3g5W1PeYXjNe2uBYITGuSJ0isjcZy8s/AjpS:tBheexEjd6azCPlKuSJecZZsCS

Score

10^/10

njrat ynhf evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

ynhf

C2

127.0.0.1:5050

Mutex

ab524651e5ce0e49a43154d04c752315

Attributes

reg_key
ab524651e5ce0e49a43154d04c752315
splitter
|'|'|

Targets

- Target
  
  f5fb019ecf7570fa904d884db9f05f9c_JaffaCakes118
- Size
  
  49KB
- MD5
  
  f5fb019ecf7570fa904d884db9f05f9c
- SHA1
  
  84e28207f86bdbc534dfc8b10520ce61ad202d23
- SHA256
  
  a5eb97f797fbea357ce38999264e709e0622221cf08a2f677fd1b6f3ee15d7f9
- SHA512
  
  feab45b67572849096c2d380581fdb4fd23312361db7784a7b3bef62a39a3eda055b1b7bf708f448147c915fe832634ea046e7e59162b5dcdc7beeb533be9d4a
- SSDEEP
  
  768:o2DXFFhheexEj7I46aOqb3g5W1PeYXjNe2uBYITGuSJ0isjcZy8s/AjpS:tBheexEjd6azCPlKuSJecZZsCS
Score

10^/10

njrat ynhf evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratynhfevasionpersistenceprivilege_escalationtrojan

behavioral2

njratynhfevasionpersistenceprivilege_escalationtrojan